The Ultimate GPG Guide

GPG

GPG or The GNU Privacy Guard is a standard and tool for encrypting and signing pretty much any data or communication, it consists of a pair of keys; one private and one public, to sign something a non-shareable password must be entered.

This guide is mainly intended for programmers wanting to have their keys ready and set to sign their emails and/or commits.

If the keys are in order, both GPG files with public and private blocks then skip to Route #2: Use an existing GPG key.

Route #1: Generate the GPG key

gpg --full-gen-key

:white_check_mark: Select RSA as the algorithm

:white_check_mark: Request the maximum keysize (ref: 4096)

:white_check_mark: Specify the expiration date

:white_check_mark: Specify Name, Email and Comment (if any)

Take the following as reference:

Real name: Your Name
Email address: <your_email>
Comment:
You selected this USER-ID:
"Your Name <your_email>"

:white_check_mark: Write a password when asked and that’s it

Note: Now the GPG keys can be used and exported, it’s recommended to set a trust level. Remember that the private key is only for you to have (unless you really trust uploading it to a service).

:ballot_box_with_check: Backup the GPG keys

This is important in case of changing or losing the operative system.

:large_blue_diamond: Export the public key

gpg --armor --export keyIDNumber

:large_blue_diamond: Export the private key

gpg --export-secret-keys keyIDNumber

Route #2: Use an existing GPG key

if there is no GPG key then go back to Route #1: Generate the GPG key.

1. Import the public key

gpg --import pub.gpg

2. Import the private key

gpg --allow-secret-key-import --import pri.gpg

Provide the passphrase for the private key to be imported.

:white_check_mark: Check the public key

gpg --list-keys

:white_check_mark: Check the private key

gpg --list-secret-keys --keyid-format LONG

3. Set a trust level

It’s recommended to set the key to a trust level, if so, set a 5, so it can be used as an owned key.

gpg --edit-key (keyIDNumber)
gpg> trust
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately (set this one)
  m = back to the main menu

Route #3: Set up the GPG key to commit

if you want that sweet sweet Verified mark for every commit on your preferred Git platform, you need to do the following:

:one: Having both the GPG and Git platform account (confirmed) with the same email address

:two: Adding your GPG [public] key to your account

:three: Setting Git [Local or Global] to sign commits

The next configuration must be applied inside every project folder where is required to sign commits with the selected key. In the case of a system-wide configuration use the --global parameter instead of --local.

:large_blue_diamond: Set Username

git config --local user.name "USERNAME"

:large_blue_diamond: Set Email

git config --local user.email "[email protected]"

:large_blue_diamond: Set GPG key

git config --local user.signingkey keyIDNumber

:large_blue_diamond: Require signing on every commit

git config commit.gpgsign true

Finally, elaborating in detail about any feedback and/or suggestion about this procedure is appreciated.

1 Like